WEBVTT

00:00.320 --> 00:00.710
Hello.

00:00.710 --> 00:07.880
In this lecture, we're going to do the registry analysis with the previously infected Windows image

00:08.150 --> 00:09.320
virtual memory here.

00:09.320 --> 00:16.430
So information, information about every user setting program and the Windows operating system itself

00:16.430 --> 00:18.530
can be found within the registry.

00:18.680 --> 00:24.650
Even hashed passwords can be found in the registry, in the Windows Registry analysis.

00:24.650 --> 00:34.280
And we're going to use the two two plugins for using this HIVE scan in in next lectures.

00:34.280 --> 00:39.920
We're going to do more detailed and like advanced registry analysis here.

00:39.920 --> 00:45.350
But it's just an this is not this is just an intermediate level of registry analysis.

00:45.770 --> 00:52.490
The first plugin we're going to use the hive scan and second is the hive list.

00:52.490 --> 00:56.150
So let's start with hive scan here, Enter.

00:56.150 --> 00:59.870
And yeah, also I want to notify that you have to.

01:00.980 --> 01:04.220
Specify the profile of nowhere.

01:04.530 --> 01:05.360
No, no, no, no, no, no.

01:06.140 --> 01:06.830
Here.

01:07.750 --> 01:08.380
I've scan.

01:09.770 --> 01:10.430
Okay.

01:11.390 --> 01:16.430
So this is the output and the numbers are presented here.

01:16.430 --> 01:23.630
Location of hives on the hard disk so we can find more information on the register, more information

01:23.630 --> 01:26.450
about registry in Wikipedia here.

01:26.450 --> 01:28.760
Let's look look at details here.

01:29.540 --> 01:31.550
Windows Registry.

01:33.980 --> 01:39.560
Wikipedia here and yeah, it can tell us some examples here.

01:39.560 --> 01:40.010
Yeah.

01:40.040 --> 01:49.910
As you can see, this is the list of standard standard register values and here are the valid registries.

01:50.630 --> 01:52.850
Belongs to what and what is inside them.

01:52.850 --> 01:59.810
For example, in our local machine we have aggregated local machine store settings that are specific

01:59.810 --> 02:01.460
to the local computer.

02:01.490 --> 02:10.810
We have users contains sub keys correspond to the for each user profile actively loaded on the machine

02:10.910 --> 02:11.710
thought users.

02:11.720 --> 02:15.860
Hives are usually only loaded for currently logged in users.

02:15.860 --> 02:22.460
So now I'm going to open the windows here and change the windows while we're going to.

02:22.490 --> 02:26.930
We are searching about this information in registry here.

02:26.930 --> 02:29.240
So let's open open the windows here.

02:29.510 --> 02:30.050
Yeah.

02:30.080 --> 02:35.520
While Windows is opening, I'm going to are we going to read more here?

02:35.520 --> 02:37.620
We also have performance data.

02:37.620 --> 02:44.880
Current user, as the name suggests, is stores, the settings that are specific to the currently logged

02:44.880 --> 02:45.780
in users.

02:45.810 --> 02:47.670
There are more examples here.

02:47.670 --> 02:52.800
Register is just a big file that contains windows.

02:53.550 --> 02:56.520
Settings and other information about the system.

02:56.520 --> 02:59.820
So let's change our change here.

02:59.850 --> 03:01.950
Let's make yeah.

03:02.430 --> 03:04.790
Windows here.

03:04.800 --> 03:05.150
Yeah.

03:05.190 --> 03:06.060
Create.

03:07.960 --> 03:08.380
And.

03:08.380 --> 03:08.860
Yeah.

03:09.660 --> 03:10.470
That's for sure.

03:10.470 --> 03:12.570
It's gonna work.

03:14.300 --> 03:16.010
Okay, Perfect.

03:16.890 --> 03:19.410
Let's make the screen bigger here.

03:19.500 --> 03:20.040
Yeah.

03:21.320 --> 03:22.720
Can you see it?

03:22.730 --> 03:24.290
Yeah, you can see it.

03:24.290 --> 03:27.050
Okay, let's open our windows here.

03:34.970 --> 03:39.440
And here this is the our Windows machine for our learning purposes.

03:39.560 --> 03:46.970
Now we can open the registry and just then look at the registry, what these files are, what those

03:46.970 --> 03:49.340
parameters are in order to open the registry.

03:49.370 --> 03:52.190
You just enter the regedit here.

03:52.310 --> 04:00.680
If you if you are using older Windows versions or if you write here rec here and it doesn't show anything,

04:00.680 --> 04:05.890
you can regedit.exe here or MSI here you can.

04:05.900 --> 04:07.700
It's the same actually.

04:07.940 --> 04:08.420
Yeah.

04:08.420 --> 04:09.650
And click yes.

04:10.430 --> 04:17.900
And here, as you can see, this is our registry editor program in Windows.

04:17.900 --> 04:20.000
So let's improve.

04:20.030 --> 04:22.370
Let's increase the font size a bit.

04:22.370 --> 04:27.050
And that's, you know, it's too much here even for the lecture.

04:27.630 --> 04:28.470
Yes.

04:29.430 --> 04:30.780
Uh, 14 is okay.

04:30.780 --> 04:33.690
And as you can see here, there we have the.

04:35.010 --> 04:39.210
Here information settings parameters.

04:39.690 --> 04:46.770
Here, for example, shows the what AVI files opens by default.

04:46.770 --> 04:47.550
For example.

04:47.550 --> 04:48.030
Here.

04:48.030 --> 04:48.600
Here.

04:50.020 --> 04:51.340
As you can see here.

04:55.700 --> 04:56.270
Here.

05:01.300 --> 05:01.870
Here.

05:02.020 --> 05:03.100
So.

05:04.690 --> 05:07.840
Now we're going to learn more in.

05:08.140 --> 05:10.330
Learn more about registry in next lectures.

05:10.330 --> 05:16.540
But for now, we're going to just analyze it and look the plugins that we're going to use with the.

05:18.190 --> 05:19.600
Uh, volatility framework.

05:19.600 --> 05:20.350
So.

05:21.510 --> 05:30.930
This is the Hives hive list of hive scan of registries here and print it out so I can later I can share

05:30.930 --> 05:34.980
it with you on the attachments section of this lecture.

05:34.980 --> 05:37.800
And last we have hive list.

05:38.520 --> 05:46.050
So for more, this is the this is for more detailed information on registry hives and location within

05:46.050 --> 05:46.590
the RAM.

05:46.590 --> 05:49.230
So the hive list plugin can be used here.

05:49.260 --> 05:56.580
The Hive list plugin here command shows the details of virtual and physical address with more easily

05:56.580 --> 05:57.480
readable plaintext.

05:57.480 --> 06:01.260
So as its name suggests, you can't read anything from it.

06:01.260 --> 06:08.730
Like you, you can't get details from it if you are not advanced forensics and analytics here.

06:08.730 --> 06:15.210
But with this here, you can get the directories of the registry files here as here.

06:16.640 --> 06:16.950
Mhm.

06:16.970 --> 06:17.540
Okay.

06:18.230 --> 06:31.100
So more information on the registry can be found in the official Microsoft registry here named Docs.microsoft.com.

06:33.120 --> 06:39.600
Uh, and us Windows win 32.

06:40.360 --> 06:43.330
Sysinfo and registry.

06:44.210 --> 06:44.930
Has.

06:46.800 --> 06:47.400
Highs.

06:49.240 --> 06:53.200
And as you can see, there is a more information about the registry hives.

06:53.200 --> 06:57.940
And as you can see in in previously we we see.

06:58.840 --> 07:02.050
We serve the we serve the here.

07:05.940 --> 07:07.890
Okay, let's.

07:08.490 --> 07:09.150
Okay.

07:09.480 --> 07:16.110
So do you use explains what is like folder like icons means.

07:16.830 --> 07:25.380
So for example, the current config means the system files and supported files.

07:25.380 --> 07:28.140
Local machine samsam dot save.

07:28.170 --> 07:36.200
This is the local machine security here and other information can be found here and the Microsoft's

07:36.210 --> 07:37.170
official.

07:39.450 --> 07:40.290
Website.